Date: Thu, 16 Feb 2006 09:03:31 +1000 From: Maxim Vetrov <muxas@mail.ru> To: freebsd-questions@FreeBSD.org Cc: fbsd_user@a1poweruser.com, chris@i13i.com Subject: Re: IPFILTER rule error Message-ID: <43F3B343.5070802@mail.ru> In-Reply-To: <MIEPLLIBMLEEABPDBIEGGEDJHNAA.fbsd_user@a1poweruser.com> References: <MIEPLLIBMLEEABPDBIEGGEDJHNAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------040501090001030503090708 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hi! Thahks for your attention! >> First of all you really need to read the ipfilter section of the FreeBSD handbook... >> fbsd_user@a1poweruser.com I've read the handbook. Good starting point! :-) Given that I just _TEST_ ipf config ported from 5.4 to 6.0 on local LAN, I do not violate theoretical background of firewalling. Grouping is used to differentiate inbound\outbound traffic, probably I will use it to diff interfaces. >> I don't know if you posted the whole ruleset or if you cut out what seemed irrelevant to keep the post short... >> Erik Norgaard Yes, I do not show you the whole story about ipf.rules, only the skeleton and the problematic lines. The reason for that is that ipfilter works with basic ipf.rules, and ipfstat confirms that. But no logs as expected (but eventually I've found where log info went: it appeared at /var/log/messages, and not in /var/log/security as configured!). By the way, I prefer to use syslogd because it allows for log rotation, which is goooood! :-) Problem with "no such process" appeared when I added to ipf.rules line **** pass out quick on rl0 \ **** proto udp from any to any port = sunrpc keep state group 20 It doesn't matter whether port parameter is expressed as a name or a number. I have other lines written both types and all of that works! Again, the error is presented only when I insert the above line in ipf.rules. This is an outbound rule; I've had the inbound rule in basic setup (you can see it in my previous post) and it ran just well! Ok, in the attachment there is the whole story about ipf.rules as it is. As I've found from the handbook this way of firewalling is called "inclusive" %-). Regards, Muxas P.S. I apologize for my message timing, it's the second question i'll ask after ipf :-) --------------040501090001030503090708 Content-Type: text/plain; name="ipf.rules" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipf.rules" ################################################################################ # External interface - ppp0 # ################################################################################ #%%%%%%%%%%%%%%%%%% Block-and-log everything that is not allowed explicitly %%%% #block in log on ppp0 all head 10 #block out log on ppp0 all head 15 #%%%%%%%%%%%%%%%%%% Allow DNS requests %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% #pass out quick on ppp0 \ # proto tcp/udp from any to any port = domain keep state group 15 #%%%%%%%%%%%%%%%%%% Allow outbound HTTP packets %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% #pass out quick on ppp0 \ # proto tcp from any to any port = 80 keep state keep frags group 15 #%%%%%%%%%%%%%%%%%% Allow outbound FTP packets %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% #pass out quick on ppp0 \ # proto tcp from any to any port = 21 keep state group 15 #%%%%%%%%%%%%%%%%%% Allow inbound FTP-data packets %%%%%%%%%%%%%%%%%%%%%%%%%%%%% #pass in quick on ppp0 \ # proto tcp/udp from any port = 20 to any port > 1024 keep state group 10 #%%%%%%%%%%%%%%%%%% Allow outbound Jabber connections %%%%%%%%%%%%%%%%%%%%%%%%%% #pass out quick on ppp0 \ # proto tcp from any to any port = 5222 keep state group 15 #%%%%%%%%%%%%%%%%%% Allow POP3 outgoing connections %%%%%%%%%%%%%%%%%%%%%%%%%%%% #pass out quick on ppp0 \ # proto tcp/udp from any to any port = 110 keep state group 15 #%%%%%%%%%%%%%%%%%% Allow SMTP outgoing connections %%%%%%%%%%%%%%%%%%%%%%%%%%%% #pass out quick on ppp0 \ # proto tcp/udp from any to any port = 25 keep state group 15 #%%%%%%%%%%%%%%%%%% Allow outgoing CVS connections %%%%%%%%%%%%%%%%%%%%%%%%%%%%% #pass out quick on ppp0 \ # proto tcp/udp from any to any port = 5999 keep state group 15 ################################################################################ # Internal interface #1 - rl0 (10.0.1.0/29) # ################################################################################ #%%%%%%%%%%%%%%%%% Block-and-log everything that is not allowed explicitly %%%%% block in log on rl0 all head 20 block out log on rl0 all head 25 #pass in on rl0 from 10.0.1.1/29 to any group 20 #pass out on rl0 from any to 10.0.1.1/29 group 25 #%%%%%%%%%%%%%%%%% Allow ping %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto icmp all keep state group 20 pass out quick on rl0 \ proto icmp all keep state group 25 #%%%%%%%%%%%%%%%%% Allow DNS requests %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto tcp/udp from any to any port = domain keep state group 20 #%%%%%%%%%%%%%%%%% Allow DHCP requests %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto tcp/udp from any port = 68 to any port = 67 group 20 #%%%%%%%%%%%%%%%%% Allow HTTP requests from local network %%%%%%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto tcp from any to any port = 80 keep state keep frags group 20 #%%%%%%%%%%%%%%%%% Allow FTP requests from local network %%%%%%%%%%%%%%%%%%%%%%% pass in quick on rl0 proto tcp from any to any port = 21 keep state group 20 #%%%%%%%%%%%%%%%%% Allow inbound FTP-data packets %%%%%%%%%%%%%%%%%%%%%%%%%%%%%% pass out quick on rl0 \ proto tcp/udp from any port = 20 to any port > 1024 keep state group 25 #%%%%%%%%%%%%%%%%% Allow inbound Jabber connections %%%%%%%%%%%%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto tcp from any to any port = 5222 keep state group 20 #%%%%%%%%%%%%%%%%% Allow Sun RPC incoming calls %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto tcp/udp from any to any port = sunrpc keep state group 20 pass in quick on rl0 \ proto tcp/udp from any to any port = 717 keep state group 20 # the next line raise the error when uncommented #pass out quick on rl0 \ # proto udp from any to any port = 111 keep state group 20 #%%%%%%%%%%%%%%%%% Allow NFS incoming requests %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto tcp/udp from any to any port = 2049 keep state group 20 # mountd fixed port=1041 pass in quick on rl0 \ proto udp from any to any port = 1041 keep state group 20 #%%%%%%%%%%%%%%%% Allow POP3 connections %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto tcp/udp from any to any port = 110 keep state group 20 #%%%%%%%%%%%%%%%% Allow SMTP connections %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto tcp/udp from any to any port = 25 keep state group 20 #%%%%%%%%%%%%%%%% Allow NetBIOS Naming System service %%%%%%%%%%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto tcp/udp from any to any port = 137 keep state group 20 pass out quick on rl0 \ proto tcp/udp from any to any port = 137 keep state group 25 #%%%%%%%%%%%%%%%% Allow NetBIOS Datagram Service %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto tcp/udp from any to any port = 138 keep state group 20 pass out quick on rl0 \ proto tcp/udp from any to any port = 138 keep state group 25 #%%%%%%%%%%%%%%%% Allow SMB over NetBIOS over TCP %%%%%%%%%%%%%%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto tcp/udp from any to any port = 139 keep state group 20 pass out quick on rl0 \ proto tcp/udp from any to any port = 139 keep state group 25 #%%%%%%%%%%%%%%%% Allow SMB Session service %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto tcp/udp from any to any port = 445 keep state group 20 pass out quick on rl0 \ proto tcp/udp from any to any port = 445 keep state group 25 #%%%%%%%%%%%%%%% Allow PostgreSQL connections on default port %%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto tcp/udp from any to any port = 5432 keep state group 20 pass out quick on rl0 \ proto tcp/udp from any to any port = 5432 keep state group 25 #%%%%%%%%%%%%%%% Allow FireBird connections on default port %%%%%%%%%%%%%%%%%%%% pass in quick on rl0 \ proto tcp from any to any port = 5030 keep state group 20 pass out quick on rl0 \ proto tcp from any to any port = 5030 keep state group 25 ################################################################################ # Internal interface #2 - vr0 (10.0.2.0/29) # ################################################################################ pass in quick on vr0 all pass out quick on vr0 all --------------040501090001030503090708--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43F3B343.5070802>